In the past year, we saw a surge in digital transformation that reflected the accelerated delivery of many organizations’ multiyear technology roadmaps. McKinsey claims we’ve now passed a tipping point that may have forever adjusted business operations. The use of multi-cloud environments and cloud-native architectures based on microservices, containers, and Kubernetes is at the heart of this transformation. While these approaches undoubtedly help DevOps teams drive digital agility and faster time-to-market, they also introduce new application security challenges that represent a serious risk.
Cloud platforms are the foundational layer on which organizations build DevOps-based digital transformation initiatives. These environments drive cost efficiencies and greater IT flexibility, as well as enable organizations to pivot quickly in response to evolving market demands. As demand for faster innovation grows across every industry, organizations are investing more in cloud-native architectures. Gartner predicts that by 2022, three-quarters of global organizations will be running containerized applications in production – up from less than 30 percent in 2020.
Containers and microservices break down application functionality into more manageable pieces that can be rapidly built, tested, and deployed, which helps teams accelerate innovation. Cloud-native architectures also offer organizations the flexibility of moving workloads between different platforms to ensure their environment is always the best fit for their needs at any moment in time. However, this more dynamic, cloud-native era is accompanied by new challenges. DevOps teams may not have the tools or resources needed to manage the additional layer of complexity and identify vulnerabilities in their code before they become an exposure.
This is a particular challenge given the widespread use of open-source libraries. These libraries help speed time-to-market by removing the need for DevOps teams to write every line of code from scratch. However, they also contain countless vulnerabilities that need to be continually identified and weeded out. This isn’t easy in a dynamic cloud-native environment, where change is the only constant.
Legacy tools create blind spots
Our own research uncovered additional concerns. For example, 89%t of global CISOs admitted microservices, containers, Kubernetes, and multi-cloud environments have created blind spots, as their traditional application security solutions are incapable of seeing into them. These legacy tools were designed for a different era, characterized by static infrastructure and monolithic applications. In those environments, a single monthly scan was enough to identify most vulnerabilities before they could be exploited.
Today, container lifespans are measured in hours and days. Those same tools simply can’t keep up with that pace of change. They also usually can’t see inside containerized applications, and are unable to spot the flaws within their code. As a result, even the most well-documented vulnerabilities, like the Apache Struts library flaw that caused the 2017 Equifax breach, can evade detection for months, or even years.
At the same time, 85% of the security leaders surveyed want DevOps and application teams to take more direct responsibility for vulnerability management. There’s nothing wrong with this – in fact, many regard DevSecOps and shifting security ‘left’ as the best and most cost-effective way to mitigate risk. However, existing tools and processes are letting these teams down. Teams don’t have time to carry out manual scans, often lack the skills needed to take responsibility for security, and don’t have the ability to detect critical vulnerabilities quickly enough. Some DevOps teams even bypass security controls altogether, while others refuse to work with security teams over concerns taking these steps will slow time-to-market.
YOU MIGHT LIKE
Who is coming out on top in the multi-cloud war?
As a result, more vulnerabilities are slipping through security nets and making their way into production environments. A shocking 71% of CISOs in our research said they aren’t fully confident code is free of vulnerabilities before going live in production.
No fit-for-purpose cloud-native environments
These findings underscore the conclusion that traditional security approaches and manual impact assessments are no longer fit-for-purpose in dynamic cloud-native environments. Real-time insights are crucial when containers are spinning up and down within seconds, and dependencies between microservices are in continual flux as they cross the boundaries between cloud platforms. Legacy vulnerability scanners offer only a static point-in-time view, and often can’t tell the difference between potential risk and actual exposure. This can lead to application security and DevOps teams becoming overwhelmed with thousands of vulnerability alerts each month — many of which are false positives.
It’s no surprise that three-quarters (74%) of CISOs believe such vulnerability scanning tools are ineffective. Not only do these legacy tools fail to keep up with the rapid pace of change in containerized environments, but they’re also guilty of slowing the transition to DevSecOps down by focusing on only one stage of the software delivery lifecycle. The lack of context this provides makes it hard for teams to source and apply the right patches, and teams can’t find vulnerabilities quickly enough to minimize risk once code is deployed. Combine the volume of false positives and alerts with the lack of context offered by legacy tools and you have a recipe for countless wasted hours and increased application security risk.
Automation is the future
To overcome these challenges and eliminate the manual burden on their teams, organizations need the ability to identify application exposures automatically. This is possible if they have the ability to automate tests during runtime, without the need for configuration or any extra efforts from DevOps teams.
By combining vulnerability data with knowledge of the runtime environment – such as whether the code in question is exposed to the internet – DevSecOps teams can get all the context they need to understand the cause, nature, and impact of the problem in real-time. In so doing, teams can efficiently reduce risk and accelerate innovation at the speed of the business. Indeed, over three-quarters (77%) of CISOs say the only way for security to keep up with modern cloud-native application environments is to replace manual deployment, configuration, and management with this more automated approach. This will not only be critical to safeguarding organizations from the threats they face in today’s cloud-native world, but also enabling them to fuel innovation-led growth in the new post-pandemic era.
Article contributed by Ben Todd, Senior Director Security, EMEA, Dynatrace
17 August 2022
17 August 2022